Loftvex Catalog Risk Audit Privacy Policy

Last updated: March 11, 2026

Loftvex Catalog Risk Audit helps Shopify merchants identify catalog data issues. This policy explains what information the app accesses, how it is used, and how merchants can contact us about privacy questions.

Data roles

• For merchant store data processed through the app, the merchant is generally the controller and Loftvex acts as a processor or service provider on the merchant's behalf.
• For our own operational records, billing records, and support communications, Loftvex acts as the controller.

Information we access from Shopify

• Product and variant catalog data needed to perform read-only catalog diagnostics.
• Inventory-related product and variant settings used to evaluate catalog-risk rules.
• Shop domain, installation metadata, and embedded session context required to authenticate merchants and keep the embedded app working.
• Store and account identity metadata that Shopify provides during app installation, embedded Admin use, billing, and support context, such as shop owner or staff contact details associated with the Shopify account.

Information we do not intentionally collect

• The app is designed around the read_products scope and does not intentionally request customer, order, or payment data for its core workflow.
• The app is read-only. It does not write catalog changes back to Shopify.
• The app does not use staff or owner contact metadata to scan products, make catalog decisions, or sell merchant data.

How we use information

• Generate catalog audit findings, summaries, trend views, and CSV exports requested by the merchant.
• Store merchant-selected settings such as audit thresholds, exclusions, severity preferences, and monitoring cadence.
• Maintain logs and service records needed for reliability, debugging, abuse prevention, and merchant support.

Sources of information

• Directly from Shopify when a merchant installs or uses the app.
• Directly from the merchant when the merchant changes settings, contacts support, or interacts with billing flows.
• Automatically from the app runtime and infrastructure for security, performance, and error diagnostics.

Cookies and local storage

Loftvex uses a strictly necessary cookie (catalog_audit_shop) to remember the merchant's shop domain during authentication and embedded app context flows. The app may also use browser session storage for short-lived reconnect state needed to complete Shopify installation and reauthorization flows.

Sharing and subprocessors

• Cloudflare provides hosting, edge delivery, and application runtime services.
• Shopify provides app platform, authentication, billing, and API infrastructure.
• We may share information with professional advisors or authorities when required by law, legal process, or to protect the security and integrity of the service.

International transfers

Information may be processed in countries where our service providers operate. Where required, we rely on contractual and operational safeguards intended to support lawful cross-border processing.

Retention and deletion

• Audit settings, audit history, and monitoring settings are retained while the app remains installed unless deletion is requested sooner.
• Operational logs and support records may be retained for a limited period as reasonably necessary for security, fraud prevention, legal compliance, and support follow-up.
• On uninstall or shop redaction events, stored app data for that shop is scheduled for deletion from app-controlled storage.

Privacy law compliance requests

The app supports Shopify's mandatory privacy webhooks, including customer data requests, customer redaction, and shop redaction. We use those requests to help merchants satisfy deletion and access obligations that apply to app data.

Merchant choices and rights

Merchants can request access, correction, deletion, or portability of applicable personal data, subject to law. Merchants can also uninstall the app at any time through Shopify.

Security

We use reasonable administrative, technical, and organizational measures intended to protect information against unauthorized access, loss, misuse, or alteration. No system can be guaranteed to be perfectly secure.

Changes to this policy

We may update this policy from time to time. When we do, we will update the “Last updated” date on this page. Material changes will apply prospectively once published.

Contact

For privacy questions or requests, contact support@loftvex.app.